Bug 1007340 - (CVE-2013-4338, CVE-2013-4339, CVE-2013-4340, CVE-2013-5738, CVE-2013-5739) CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 wordpress: new security issues fixed in 3.6.1
CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 wordpre...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130910,repor...
: Security
Depends On: 1007343 1007344
Blocks: 1007345
  Show dependency treegraph
 
Reported: 2013-09-12 05:56 EDT by Ratul Gupta
Modified: 2018-04-30 18:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: wordpress 3.6.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-09-12 05:56:00 EDT
Wordpress recently released 3.6.1 update which fixes several security issues, some of them being as critical as a Remote Code Execution. Also, some security settings modification was done to avoid execution of certain files.

Version 3.6.1 fixes three security issues:

*    Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. 

*    Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website.

*    Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user. 

Additional security hardening:

*    Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
Comment 1 Ratul Gupta 2013-09-12 05:59:29 EDT
Created wordpress tracking bugs for this issue:

Affects: fedora-all [bug 1007343]
Affects: epel-all [bug 1007344]
Comment 2 Vincent Danen 2013-09-12 12:00:42 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4338 to
the following vulnerability:

Name: CVE-2013-4338
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25325
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4339 to
the following vulnerability:

Name: CVE-2013-4339
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25323
Reference: http://core.trac.wordpress.org/changeset/25324
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4340 to
the following vulnerability:

Name: CVE-2013-4340
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25321
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5738 to
the following vulnerability:

Name: CVE-2013-5738
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
Assigned: 20130911
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25322
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5739 to
the following vulnerability:

Name: CVE-2013-5739
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
Assigned: 20130911
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25322
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php.
Comment 3 Vincent Danen 2013-09-12 12:10:21 EDT
External References:

http://wordpress.org/news/2013/09/wordpress-3-6-1/

Note You need to log in before you can comment on or make changes to this bug.